Chapter 16 - 02 - Learn Troubleshooting Basic Network Issues using Utilities and Tools - 05_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
OCR
Tags
Related
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting OS Discovery o Use the -0 option to perform OS discovery and obtain the OS details of th...
Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting OS Discovery o Use the -0 option to perform OS discovery and obtain the OS details of the target machine. # nmap -O < x Scan Jools Tools Profile Help Target: | 10.10.10.16 Profile: 'Scan| | Cancel Command: Command: |[nmap -O |nmap -0 10.10.10.16 10.10.10.16 || ‘| l | Services l] Nmap Output Ports / Hosts Topology Host Details Scans 0S 4 Host 05 -~ | nmap-010.10.10.16 ~| |Details = | Details| 977 ports closed port;' A~ % 4 10.10.10.16 10.30.10.16 Not shown: Nflx_zngun} PORT STATE SERVICE S53/tcp S3/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 111/tcp open rpcbind 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswds| 593/tcp open http-rpc-epmap 636/tcp open ldapssl 1061/tcp open kiosk 1069/tcp open cognex-insight 1072/tcp open cardax 1801 /tcp 1801/tcp open msmq 2049/tcp open nfs 2103/tcp open zephyr-clt 2105/tcp open eklogin 2107 /tcp open msmq-mgmt 2968/tcp open enpp 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server MAC Address: ©8:0C:29:AE:77:F7 (VMware) i general purpose ;i Microsoft Windows 2016 0S CPE: cpe:/o:microsoft:windows_server_2016 0S details: : Microsoft Windows Server 2016 build 20816 18586 1586 -- 14393 Network Distance: 1 hop 0S5 OS detection performed. Please report any incorrect results at https://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 6.89 seconds Filter Hosts Figure 16.93: Screenshot of Nmap OS discovery scan Module 16 Page 2007 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting o In Nmap, use the smb-os-discovery NSE script for collecting OS information on the target machine through the SMB protocol. < Zenmap —_ [ x Scan JTools Profile Help Target: ’ 10.10.10.10 ~ | Profile: v 1 Scan Cancel Command: Inmap --script smb-os-discovery.nse 10.10,10.10 l 3 Services Nmap OQutput Ports / Hosts Topology Host Details Scans 0S ¢ Host - nmap --script smb-os-discovery.nse 10.10.10.10 N ‘ Details | & 10.10.10.10 Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-28 13:39 Standard Time Nmap scan report for 10.10.10.10 Host is up (©.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server S$357/tcp open wsdapi Host script results: | smb-os-discovery: | 0S: Windows 1@ Enterprise 108586 (Windows 10 Enterprise 6.3) = OS CPE: cpe:/o:microsoft:windows_10:: - Computer name: Windowsle | NetBIOS computer name: WINDOWS1O\x0€ | Workgroup: WORKGROUP\x20 | System time: 2021-06-28T13:39:56+05:30 Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds Filter Hosts Figure 16.94: Screenshot of Nmap OS discovery using the Nmap script engine (NSE) = Wireshark Source: https://www.wireshark.org Wireshark allows capturing and interactively browsing the traffic in a computer network. This tool uses WinPcap to capture packets on its own supported networks. It captures live network traffic from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, and FDDI networks. The captured files can be programmatically edited via the command-line interface. A set of filters for customized data display can be refined using a display filter. Wireshark assists administrators in troubleshooting network problems and performing real-time traffic analysis for diagnosing network-related issues. Wireshark can be used to troubleshoot some common issues such as packet drops, delay problems, and unnecessary activities over the network. As shown in the screenshot, Wireshark can be used to sniff and analyze the packet flow in the target network and extract critical information. Module 16 Page 2008 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting & *Ethernet0 — (m] x File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help amg® MRE | QAee@F L(T]Eaaamn [ [tcp.ort == 80.port == 80| ] > + No. Time Source Destination Protocol Length Info ~ 272980 580.912132 10.10.10.10 117.18.232.200 TCP 54 1730 - 80 [ACK.. 272981 580.915710 117.18.232.200 10.10.10.10 TCP 1454 80 - 1730 [PSH.. 272982 580.919124 117.18.232.200 10.10.10.10 TCP 1454 80 - 1730 [PSH.. 272983 580.919160 10.10.10.10 117.18.232.200 TCP 54 1730 - 80 [ACK.. 272984 580.926694 117.18.232.200 10.10.10.10 TCP 1454 80 - 1730 [PSH.. 272985 580.930773 117.18.232.200 10.10.10.10 TCP 1514 80 - 1730 [ACK.. 272986 580.930773 117.18.232.200 10.10.10.10 TCP 1514 80 - 1730 [ACK.. 272987 580.930773 117.18.232.200 10.10.10.10 TCP 1334 80 - 1730 [PSH.. 272988 580.930819 10.10.10.10 117.18.232.200 TCP 54 1730 - 80 [ACK.. 272989 580.938808 117.18.232.200 10.10.10.10 TCP 1514 80 - 1730 [ACK.. 272990 580.938808 117.18.232.200 10.10.10.10 TCcP 1514 80 - 1730 [ACK.. 272991 580.938808 117.18.232.200 10.10.10.10 TCcP 1334 80 = 1730 [PSH.. 272992 580.938924 10.10.10.10 117.18.232.200 TCcP 54 1730 - 80 [ACK.. - 272993 580.950015 117.18.232.200 10.10.10.10 TCP 1454 80 -+ 1730 [PSH.. > Frame 269463: 1454 bytes on wire (11632 bits), 1454 bytes captured (11632 bits) on | > Ethernet II, Src: VMware_fc:26:81 (00:50:56:fc:26:81), Dst: VMware_df:79:4d (00:0c:2 Internet Protocol Version 4, Src: 117.18.232.200, Dst: 10.10.10.10 Transmission Control Protocol, Src Port: 80, Dst Port: 1730, Seq: 274652271, Ack: 17 < > @ 7 wireshark_Ethernet0255R 50.pcapng || Packets: 272993 - Displayed: 272628 (99.9%) | Profile: Default Figure 16.95: Screenshot of Wireshark Wireshark features display filters that filter traffic on the target network by protocol type, IP address, port, etc. Display filters are used to change the view of packets in the captured files. To set up a filter, type the protocol name, such as arp, http, tcp, udp, dns, and ip, in the filter box of Wireshark. Wireshark can use multiple filters at a time. Listed below are display filters in Wireshark that are commonly used for network troubleshooting. o To investigate HTTP traffic, enter “http” as the filter option in the Wireshark window. A “Ethernet0 — [w] p Eile Edit Yiew Go Capture Analyze Statistics Telephony \Wireless Jools Help ama e MRE Q «w@ET 4 3E & a & IF (- [re] B o)+ No. Time Source Destnation Protocol Length Info -~ 221070 439.365855 117,10.232,200 10.10.10.10 HTTP 1285 HTTP/1.1 206 Part.. 221072 439.448688 10.10,10.10 117.18.232.200 HTTP 435 GET /c/upgr/2020/.. 221938 440.520625 117.18.232.200 10.10.10.10 HTTP 200 HTTP/1.1 206 Part.. 221940 440.522682 10.10.10.10 117.18.232.200 HTTP 435 GET /c/upgr/2020/.. 222803 442.230582 117.18.232.200 10.10.10.10 HTTP 1401 HTTP/1.1 206 Part.. 222805 442.234873 10.10.10.10 117.18.232.200 HTTP 435 GET /c/upgr/2020/.. 223296 443.525879 117.18.232.200 10.10.10.10 HTTP 331 HTTP/1.1 206 Part.. 223298 443.533179 10.10.10.10 117.18.232.200 HTTP 435 GET /c/upgr/2020/.. 223707 444.490782 117.18.232.200 10.10.10.10 HTTP 909 HTTP/1.1 206 Part. 223710 444.584301 10.10.10.10 117.18.232.200 HTTP 435 GET /c/upgr/2020/.. 224278 445.574467 117.18.232.200 10.10.10.10 HTTP 91 HTTP/1.1 206 Part.. 224280 445.640587 10.10.10.10 117.18.232.200 HTTP 435 GET /c/upgr/2020/.. 224831 446.435324 117.18.232.200 10.10.10.10 HTTP 998 HTTP/1.1 206 Part.. 224833 446.702796 10.10.10.10 117.18.232.200 HTTP 435 GET /c/upgr/2020/..|, > Frame 12434: 435 bytes on wire (3480 bits), 435 bytes captured (3480 bits) on interface > Ethernet II, Src: VMware_df:79:4d (00:0c:29:df:79:4d), Dst: VMware_fc:26:81 (00:50:56:f] Internet Protocol Version 4, Src: 10.10.10.10, Dst: 117.18.232.200 Transmission Control Protocol, Src Port: 1730, Dst Port: 80, Seq: 9907, Ack: 12233345, < > @ 7 wireshark_Ethernet0255R 50, pcapng || Packets: 225411 - Displayed: 1195 (0.5%) || Profile: Default Figure 16.96: Screenshot of Wireshark showing an http filter Module 16 Page 2009 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting o Use the filter ip.addr == to investigate HTTP traffic initiated from an IP address. A& *Ethernetd — (] x File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help Aamage MRE Qee=F LcEaaqamn (M |ip.addr == 10.10.10.13| ) - 7 + No. Time Source Destination Protocol Length Info ~ v > Frame 329845: 65 bytes on wire (520 bits), 65 bytes captured (520 bits) on interfac > Ethernet II, Src: VMware_eb:cd:af (00:0c:29:eb:cd:af), Dst: VMware_fc:26:81 (©00:50: > Internet Protocol Version 4, Src: 10.10.10.13, Dst: 8.8.8.8 > User Datagram Protocol, Src Port: 59173, Dst Port: 53 > Domain Name System (query) < > @ 7 wireshark_Ethernet0255R 50.pcapng || Packets: 385254 - Displayed: 4317 (1.1%) || Profile: Default Figure 16.97: Screenshot of Wireshark showing ip.addr filter o Use the filter ip.dst==&&http to investigate HTTP traffic towards an IP address. o Use the filter ! (ip.addr == ) to discard packets destined to an IP address. o Use the filter ip.src==/24 and ip.dst==/24 to trace the local network traffic. o To track the TCP data content, right-click on the selected packet and select “Follow TCP Stream.” A window will be displayed with TCP data content. The content includes headers and cleartext data forwarded while processing. Module 16 Page 2010 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting M Wireshark - Follow TCP Stream (tcp.stream eq 0) - EthernetO -— O x T e e e D e e e e e T e ~. sascePeBecccam.C.8./. eJeP:8.2.00000000000000 fs.microsoft.com................................. Becccoce/omzlicm 68c2e:0.8.cccYecceXheceoooealeB. HN....8..3.P..¥...COV...50.0Z.V..".C.8 D T A el e BT e s 8..xt...
